Info
This document is part of an original submission for the RP2350 Hacking Challenge.
For more detailed and up-to-date content, refer to “Laser Fault Injection on a Budget: RP2350 Edition”.
Attack Overview
This page provides a very high-level overview of the steps used to attack the secure boot feature of the RP2350, resulting in the execution of arbitrary firmware.
Other pages provide more in-depth technical details.
Step 1: Sample Preparation
The laser fault injection is performed from the backside of the die. This requires specific preparation of the target RP2350. The steps are outlined in the Sample Preparation Page.
Step 2: Hardware Setup
The prepared sample is soldered onto a custom carrier board, documented in the RP2350 “Backside” Electronic Boards Page. This custom electronic interface connects to a host computer and an FPGA board where the logic of the attack is implemented.
This board can be mounted to the Laser Fault Injection Platform. Close-Up View of the custom electronic boards mounted into the Laser Fault Injection Platform
The Optical Assembly can be used to observe the die of the target and align the fault injection laser to a sensitive area.
A 3D render of the entire system is available from the Interactive 3D Render Page.
Step 3: Attack
Study of the Boot ROM of the RP2350 revealed that a single fault injection can lead to a bypass of the secure boot feature.
Details regarding the method used here are explained in the Boot ROM Fault Injection Page.
Step 4: Success
The screen of my computer after the very first secure boot bypass I observed
Last update: November 23, 2024